[VoiceOps] Fraud fun
Mark R Lindsey
lindsey at e-c-group.com
Wed May 18 13:34:51 EDT 2011
Cool use if iptables. There's definitely short-term tactical value in taking advantage of the signature "friend-scanner" --
But we also know that the SIPvicious user population is getting more sophisticated.
-- At our clients, they've slowed their scanning rate so they're not longer causing overload attacks.
-- It's just a matter of time before they remove the string "friendly-scanner" from their SIP messages.
mark at ecg.co | +1-229-316-0013 | http://ecg.co/lindsey
On May 18, 2011, at 12:46 PM, Alex Balashov wrote:
> Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet:
>
> iptables -A INPUT -p UDP --dport 5060 -m string --string 'friendly-scanner' -j DROP
>
>
> On 05/18/2011 12:42 PM, Spencer wrote:
>
>> I'm not sure what your requirements are but, we recently blocked all
>> non-ARIN IP space from reaching our registrars. We had something similar
>> happen and this has essentiallyeliminated the fraudulent calls we saw.
>>
>> Thanks,
>> Spencer
>>
>> ------------------------------------------------------------------------
>> Message: 1
>> Date: Tue, 17 May 2011 15:53:15 -0700
>> From: Darren Schreiber <d at d-man.org <mailto:d at d-man.org>>
>> To: "VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>"
>> <VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>>
>> Subject: [VoiceOps] Fraud fun
>> Message-ID: <C9F84A6B.2097A%d at d-man.org <mailto:d at d-man.org>>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> Hi folks,
>> We have been hit twice in the past two days with calls to
>> 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP is
>> from Pakistan)
>>
>> It's the same user each time, I think he had a weak password, but it
>> cost us over $100, which isn't too bad (we catch it quick) but I'd like
>> to get it closer to $0. :-)
>>
>> Any good recommendations for IP ranges to block from incoming connections?
>>
>> Thanks,
>>
>> Darren Schreiber
>> CEO / Co-Founder
>>
>> 2600hz | www.2600hz.com <http://www.2600hz.com><http://www.2600hz.com/>
>> sip:darren at 2600hz.com <mailto:darren at 2600hz.com>
>> tel:415-886-7901
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> <https://puck.nether.net/pipermail/voiceops/attachments/20110517/f0aaf5b7/attachment-0001.html>
>>
>>
>>
>>
>>
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
More information about the VoiceOps
mailing list